Bitcoin Forum
November 13, 2024, 01:14:28 PM *
News: Check out the artwork 1Dq created to commemorate this forum's 15th anniversary
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Nuovocard - Need Advice, Full Members & Above Only.Will Pay 1$ per answer.  (Read 1632 times)
neha (OP)
Full Member
***
Offline Offline

Activity: 168
Merit: 100


View Profile WWW
August 16, 2014, 07:20:54 AM
Last edit: August 18, 2014, 07:19:31 AM by neha
 #1

Hello Everyone,

We are looking for some advice. As you might have heard about Nuovocard, we would like to know your opinion on whether we should offer this feature or not.

Feature in Question:Ability to change withdrawal address from the one that they put in during signup?

Background : Nuovocard is primarily going to accessible using emails.

Scenario 1 :
The card holder can only pay at a merchant and merchants need to complete KYC. Thus, if there is any fraud, the card holder knows exactly where to go. If he/she needs to withdraw, it can only go to the withdrawel address they put in during signup. In case they loose theirwallet(whose address it is), they need to either spend it or sign up a for a new account, provide kyc and then spend it at their new account.

Scenario 2 :
Now if we let the card holder could change withdrawal addresses, they can withdraw to any address but so can any hacker in the unlikely event the user has not secured their email properly.


Please reply here and either put your paypal ID here or pm me. If you want I can send it to one person and they can distribute it using BTC. Maximum 100 entries. Paid only for constructive posts that help us and take this issue forward.

Thanks Everyone.

UPDATE :-

SCENARIO 3

You want to Change your Withdrawal Address ---> Do you have access to your Old Withdrawal Address---->

YES -----> Sign a Phrase with Your Old Withdrawal Address and the New One and Send us an email and if checks, Your Withdrawal Address is Changed.

NO ------> You cant withdraw the funds but only spend them. So either go and spend at a Merchant or Signup for a new Account, provide KYC, and spend in your own Account.

Now regarding the email issue as Gitju points, we will make it mandatory to use a Gmail/Outlook/etc email as their Primary Email because they will have SSL Enforced.

Also, if you loose access to your primary email for any reason, you have to give the Secret Phrase which you gave upon Signup and your money gets refunded to the last withdrawal address on file.

IF YOU LOOSE ACCESS TO BOTH PRIMARY EMAIL AND YOUR WALLET AND YOU DONT HAVE KYC ON FILE, YOUR ACCOUNT REMAINS INACTIVE FOREVER OR UNTIL YOU MAKE A TRANSACTION USING THE MAGNETIC CARD AS THAT WILL STILL WORK WITHOUT OTP. OTHERWISE YOU ARE BASICALLY OUT OF ALL OPTIONS.

neha (OP)
Full Member
***
Offline Offline

Activity: 168
Merit: 100


View Profile WWW
August 16, 2014, 09:53:43 AM
 #2

I would not offer this in that case.

The feature to have a fixed withdrawal address
(a paper wallet for example which is stored in my safe for the best case)
allows me to not care anymore about any risk here.

The willingness to deposit a higher amount is then higher which also should lead in more customer actions
(buys/sells).

An email account or the connection to an email server could easily be hacked.
Brute/force, stolen passwords, insecure wireless lan or insecure mobile network connections.

Conclusion
-> I vote against the ability to change the withdrawal address from the one that was put in during signup.

Well our connection cannot be hacked for sure unless the server gets hacked and we will know about that soon enough. But this is exactly the reason why we want to limit to only one withdrawal address. But the downside is that will it go down the throats of card holders? We will find out I guess.

I request more of you to advice us please. Thanks.

neha (OP)
Full Member
***
Offline Offline

Activity: 168
Merit: 100


View Profile WWW
August 16, 2014, 01:40:40 PM
 #3

An email account or the connection to an email server could easily be hacked.
Brute/force, stolen passwords, insecure wireless lan or insecure mobile network connections.

You said in the other post "An email account or the connection to an email server could easily be hacked.
Brute/force, stolen passwords, insecure wireless lan or insecure mobile network connections. "

I dont understand how do insecure wireless or mobile affect when the emails work over ssl??? Moreover, if your email password is stolen and you dont have 2fa, then alot of your accounts get compromised. Even the web wallets use email as the backup option for forgot password or OTP.

Please explain when you get a chance.

gweedo
Legendary
*
Offline Offline

Activity: 1498
Merit: 1000


View Profile
August 16, 2014, 04:02:21 PM
 #4

Just have the user sign a challenge message before changing the address to a new one.
neha (OP)
Full Member
***
Offline Offline

Activity: 168
Merit: 100


View Profile WWW
August 16, 2014, 04:22:40 PM
 #5

Just have the user sign a challenge message before changing the address to a new one.

Yeah. So just so that I understand right, we send the user a signature that he/she should sign the old address and the new one...correct?

Newar
Legendary
*
Offline Offline

Activity: 1358
Merit: 1001


https://gliph.me/hUF


View Profile
August 16, 2014, 04:56:07 PM
 #6

Just have the user sign a challenge message before changing the address to a new one.

Yeah. So just so that I understand right, we send the user a signature that he/she should sign the old address and the new one...correct?

Some sites use Google Authenticator to allow you to change the address. Some others use email confirmation on top of that.

Also, might be of relevance: https://en.bitcoin.it/wiki/Exit_Address

OTC rating | GPG keyid 1DC91318EE785FDE | Gliph: lightning bicycle tree music | Mycelium, a swift & secure Bitcoin client for Android | LocalBitcoins
neha (OP)
Full Member
***
Offline Offline

Activity: 168
Merit: 100


View Profile WWW
August 16, 2014, 05:06:25 PM
 #7


Some sites use Google Authenticator to allow you to change the address. Some others use email confirmation on top of that.

Also, might be of relevance: https://en.bitcoin.it/wiki/Exit_Address

For the purpose of this argument, we are assuming that if you know about google authenticator, then your email is probably not hacked as your email should have 2fa.

In the event on an hack at the customers side, how to best protect the customer. Limiting the user completely to just use their withdrawal address works and also gweedo's way completely works. Even if your email gets hacked, your cold wallet/armory/whatever you are using shouldnt get hacked and thus if we go with gweedo's way, then the hacker wont be able to change the withdrawal address.

So to remove the withdrawal feature completely or Use Gweedo's way? Gweedo's way would mean people need to know how to assign signatures.

Exit address feature doesn't apply with us because there is nothing to hack at our end. Only hack can be performed at users end.

Also, to make it even further secure, we can make users assign their primary email addresses from the webmail providers we choose like gmail, outlook, etc which have SSL forced and they can have a secondary email as anything they want. All viewing, you can use secondary, for OTP's and withdrawels, you need primary.

Jaaawsh
Sr. Member
****
Offline Offline

Activity: 462
Merit: 250

Check out Fastslots.co !!!!


View Profile
August 17, 2014, 04:29:50 AM
 #8

It's just safer to have then pick one address for withdrawals. So hackers have to work a little harder, I think.

I mean how often are you going to lose access to a wallet? Most people who do bitcoin know what they're doing. I don't really but idk. I don't think the basic stuff is hard.

gweedo
Legendary
*
Offline Offline

Activity: 1498
Merit: 1000


View Profile
August 17, 2014, 05:18:26 AM
 #9

It's just safer to have then pick one address for withdrawals. So hackers have to work a little harder, I think.

I mean how often are you going to lose access to a wallet? Most people who do bitcoin know what they're doing. I don't really but idk. I don't think the basic stuff is hard.

Depends on a couple of stuff, like with BIP 32 wallets, I would say anytime you import your seed, you consider that wallet compromised and should generate a new seed.

Or maybe following the correct protocol in that when you use an address (meaning you had funds in it, and then spent it) I would suggest you change the address.
Ripcurl99983
Sr. Member
****
Offline Offline

Activity: 414
Merit: 252



View Profile
August 17, 2014, 05:26:55 AM
 #10

I vote for one deposit address. That way, the responsibility of one's money is completely left to the consumer and it is the most secure. It would cut down on systems management as well. Get a good disclaimer tho.

│⌬

│⌬




                 ▄████▄▄    ▄
██             ████████████▀
████▄         █████████████▀
▀████████▄▄   █████████████
▄▄█████████████████████████
██████████████████████████
  ▀██████████████████████
   █████████████████████
    ▀█████████████████▀
      ▄█████████████▀
▄▄███████████████▀
   ▀▀▀▀▀▀▀▀▀▀▀





                  ▄▄██▄
              ▄▄█▀▀  ██
          ▄▄█▀▀      █▌
      ▄▄█▀▀   ▄▀    ██
 ▄▄▄█▀▀    ▄█▀     ▐█
██      ▄██▀       █▌
 ▀▀██▄███▀        ██
     ██▀▀█▄▄▄     █▌
      █▄  ██▀▀▀█▄██
       █▄█▀









WEBSITE
BITCOINTALK  
EXPLORER  
│⌬ 

│⌬ 

  
                        ████████          ████████             
                       ██████████        ██████████            
                      ████████████      ████████████           
          ██████████████████████████████████████████████████████
          ▀▀▀▀▀▀▀▀▀▀███████▀▀███████▀▀█████▀▀█████████▀▀▀▀▀▀▀▀▀▀
          ▄▄▄▄▄▄▄▄▄███████▄▄▄▄████████████▄▄▄▄█████████▄▄▄▄▄▄▄▄▄
          ██████████████████████████████████████████████████████
                ▄██████▀        ████████       ██████████▄     
              ▄█████████▄        ██████▄        ███████████▄   
            ▄█████████████▄    ▄█████████▄    ▄██████████████▄
Machinecoin 








CRYPTOPIA
COINEXCHANGE
NOVAEXCHANGE  



│⌬

│⌬




       ██             ██
    ██ █████████████████ ██
   █████████████████████████
  ███████████████████████████
 █████████████████████████████
 ████████▀  ▀█████▀  ▀████████
▐███████▌    ▐███▌    ▐███████▌
█████████▄  ▄█████▄  ▄█████████
██ ▀███████████████████████▀ ██
 ██▄▄ ▀▀███████████████▀▀ ▄▄██
  ▀▀███▄▄▄           ▄▄▄███▀▀
      ▀▀▀▀▀         ▀▀▀▀▀





          ▄███████     
         █████████     
         █████▀        
         █████         
     ████████████▓     
     ████████████▌     
     ▀▀▀▀█████▀▀▀      
         █████         
         █████         
         █████         
         █████         
         █████









neha (OP)
Full Member
***
Offline Offline

Activity: 168
Merit: 100


View Profile WWW
August 17, 2014, 07:10:47 AM
 #11

Guys based on the discussion here, I think a proper strategy would be to cater to novices and experts.

So here is what I am thinking:-

You want to Change your Withdrawal Address ---> Do you have access to your Old Withdrawal Address---->

YES -----> Sign a Phrase with Your Old Withdrawal Address and the New One and Send us an email and if checks, Your Withdrawal Address is Changed.

NO ------> You cant withdraw the funds but only spend them. So either go and spend at a Merchant or Signup for a new Account, provide KYC, and spend in your own Account.

Now regarding the email issue as Gitju points, we will make it mandatory to use a Gmail/Outlook/etc email as their Primary Email because they will have SSL Enforced.

Also, if you loose access to your primary email for any reason, you have to give the Secret Phrase which you gave upon Signup and your money gets refunded to the last withdrawal address on file.

IF YOU LOOSE ACCESS TO BOTH PRIMARY EMAIL AND YOUR WALLET AND YOU DONT HAVE KYC ON FILE, YOUR ACCOUNT REMAINS INACTIVE FOREVER OR UNTIL YOU MAKE A TRANSACTION USING THE MAGNETIC CARD AS THAT WILL STILL WORK WITHOUT OTP. OTHERWISE YOU ARE BASICALLY OUT OF ALL OPTIONS.

We will only be offering One Deposit Address and that deposit address will be Armory Address.

foxkyu
Hero Member
*****
Offline Offline

Activity: 938
Merit: 1000


View Profile
August 18, 2014, 07:09:09 AM
 #12

i think the scenario one is the best choice
only one address for withdrawal is better than have many address
so if anything happen we can trace it
and if anything happen to their account, or email, or maybe both, admin can contact them by phone
just to make sure everything is fine, if they follow the procedure
neha (OP)
Full Member
***
Offline Offline

Activity: 168
Merit: 100


View Profile WWW
August 18, 2014, 07:20:13 AM
 #13

i think the scenario one is the best choice
only one address for withdrawal is better than have many address
so if anything happen we can trace it
and if anything happen to their account, or email, or maybe both, admin can contact them by phone
just to make sure everything is fine, if they follow the procedure

What about Scenario 3???

foxkyu
Hero Member
*****
Offline Offline

Activity: 938
Merit: 1000


View Profile
August 19, 2014, 08:12:28 AM
 #14

What about Scenario 3???
im still choose the first scenario Cheesy
with the same reason of course
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!